From: Justin P. <jp...@lu...> - 2007-11-10 00:58:52
|
Distro: Debian Testing PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 4294 root 20 0 81012 5264 1624 S 100 0.1 2:23.83 fail2ban-server With DEBUG = 4 2007-11-09 19:55:34,369 fail2ban.filter : DEBUG Date 0 is smaller than 1186827946.0 2007-11-09 19:55:34,369 fail2ban.filter : DEBUG Log rotation detected for /var/log/mail.log 2007-11-09 19:55:34,370 fail2ban.filter : DEBUG Setting file position to 0 for /var/log/mail.log Any idea what's going on? Stracing the process reveals: futex(0x807360, FUTEX_WAKE, 1) = 1 futex(0x807360, FUTEX_WAKE, 1) = 0 select(0, NULL, NULL, NULL, {0, 1000}) = 0 (Timeout) futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 futex(0x807360, FUTEX_WAKE, 1) = 0 futex(0x807360, FUTEX_WAKE, 1) = 0 select(0, NULL, NULL, NULL, {0, 2000}) = 0 (Timeout) futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 futex(0x807360, FUTEX_WAKE, 1) = 0 futex(0x807360, FUTEX_WAKE, 1) = 0 select(0, NULL, NULL, NULL, {0, 4000}) = 0 (Timeout) futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 futex(0x807360, FUTEX_WAKE, 1) = 0 futex(0x807360, FUTEX_WAKE, 1) = 0 select(0, NULL, NULL, NULL, {0, 8000}) = 0 (Timeout) futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 futex(0x807360, FUTEX_WAKE, 1) = 0 futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 futex(0x807360, FUTEX_WAKE, 1) = 0 select(0, NULL, NULL, NULL, {0, 16000}) = 0 (Timeout) futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 futex(0x807360, FUTEX_WAKE, 1) = 0 futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 futex(0x807360, FUTEX_WAKE, 1) = 0 select(0, NULL, NULL, NULL, {0, 32000}) = 0 (Timeout) futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 futex(0x807360, FUTEX_WAKE, 1) = 0 futex(0x807360, FUTEX_WAKE, 1) = 0 select(0, NULL, NULL, NULL, {0, 50000}) = 0 (Timeout) futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 futex(0x807360, FUTEX_WAKE, 1) = 0 futex(0x807360, FUTEX_WAKE, 1) = 0 Justin. |
From: Yaroslav H. <li...@on...> - 2007-11-10 15:58:20
|
does restart help? does fresh tarball as Cyril suggested to try in thread Fail2Ban high cpu usage help? On Fri, 09 Nov 2007, Justin Piszcz wrote: > Distro: Debian Testing > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > 4294 root 20 0 81012 5264 1624 S 100 0.1 2:23.83 fail2ban-server > With DEBUG = 4 > 2007-11-09 19:55:34,369 fail2ban.filter : DEBUG Date 0 is smaller than > 1186827946.0 > 2007-11-09 19:55:34,369 fail2ban.filter : DEBUG Log rotation detected for > /var/log/mail.log > 2007-11-09 19:55:34,370 fail2ban.filter : DEBUG Setting file position to > 0 for /var/log/mail.log > Any idea what's going on? > Stracing the process reveals: > futex(0x807360, FUTEX_WAKE, 1) = 1 > futex(0x807360, FUTEX_WAKE, 1) = 0 > select(0, NULL, NULL, NULL, {0, 1000}) = 0 (Timeout) > futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > futex(0x807360, FUTEX_WAKE, 1) = 0 > futex(0x807360, FUTEX_WAKE, 1) = 0 > select(0, NULL, NULL, NULL, {0, 2000}) = 0 (Timeout) > futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > futex(0x807360, FUTEX_WAKE, 1) = 0 > futex(0x807360, FUTEX_WAKE, 1) = 0 > select(0, NULL, NULL, NULL, {0, 4000}) = 0 (Timeout) > futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > futex(0x807360, FUTEX_WAKE, 1) = 0 > futex(0x807360, FUTEX_WAKE, 1) = 0 > select(0, NULL, NULL, NULL, {0, 8000}) = 0 (Timeout) > futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > futex(0x807360, FUTEX_WAKE, 1) = 0 > futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > futex(0x807360, FUTEX_WAKE, 1) = 0 > select(0, NULL, NULL, NULL, {0, 16000}) = 0 (Timeout) > futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > futex(0x807360, FUTEX_WAKE, 1) = 0 > futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > futex(0x807360, FUTEX_WAKE, 1) = 0 > select(0, NULL, NULL, NULL, {0, 32000}) = 0 (Timeout) > futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > futex(0x807360, FUTEX_WAKE, 1) = 0 > futex(0x807360, FUTEX_WAKE, 1) = 0 > select(0, NULL, NULL, NULL, {0, 50000}) = 0 (Timeout) > futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > futex(0x807360, FUTEX_WAKE, 1) = 0 > futex(0x807360, FUTEX_WAKE, 1) = 0 > Justin. > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |
From: Justin P. <jp...@lu...> - 2007-11-10 16:00:29
|
Restart/reboot does not help, I am monitoring 1 logfile, mail.log. It appears I got unsubscribed from the mailing list or did not receive that e-mail if it was in this thread? Do we know what causes the bug? Unless you mean a previous thread from a couple months ago? On Sat, 10 Nov 2007, Yaroslav Halchenko wrote: > does restart help? > > does fresh tarball as Cyril suggested to try in thread > Fail2Ban high cpu usage > help? > > On Fri, 09 Nov 2007, Justin Piszcz wrote: > >> Distro: Debian Testing > >> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >> 4294 root 20 0 81012 5264 1624 S 100 0.1 2:23.83 fail2ban-server > >> With DEBUG = 4 > >> 2007-11-09 19:55:34,369 fail2ban.filter : DEBUG Date 0 is smaller than >> 1186827946.0 >> 2007-11-09 19:55:34,369 fail2ban.filter : DEBUG Log rotation detected for >> /var/log/mail.log >> 2007-11-09 19:55:34,370 fail2ban.filter : DEBUG Setting file position to >> 0 for /var/log/mail.log > >> Any idea what's going on? > >> Stracing the process reveals: > >> futex(0x807360, FUTEX_WAKE, 1) = 1 >> futex(0x807360, FUTEX_WAKE, 1) = 0 >> select(0, NULL, NULL, NULL, {0, 1000}) = 0 (Timeout) >> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >> futex(0x807360, FUTEX_WAKE, 1) = 0 >> futex(0x807360, FUTEX_WAKE, 1) = 0 >> select(0, NULL, NULL, NULL, {0, 2000}) = 0 (Timeout) >> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >> futex(0x807360, FUTEX_WAKE, 1) = 0 >> futex(0x807360, FUTEX_WAKE, 1) = 0 >> select(0, NULL, NULL, NULL, {0, 4000}) = 0 (Timeout) >> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >> futex(0x807360, FUTEX_WAKE, 1) = 0 >> futex(0x807360, FUTEX_WAKE, 1) = 0 >> select(0, NULL, NULL, NULL, {0, 8000}) = 0 (Timeout) >> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >> futex(0x807360, FUTEX_WAKE, 1) = 0 >> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >> futex(0x807360, FUTEX_WAKE, 1) = 0 >> select(0, NULL, NULL, NULL, {0, 16000}) = 0 (Timeout) >> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >> futex(0x807360, FUTEX_WAKE, 1) = 0 >> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >> futex(0x807360, FUTEX_WAKE, 1) = 0 >> select(0, NULL, NULL, NULL, {0, 32000}) = 0 (Timeout) >> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >> futex(0x807360, FUTEX_WAKE, 1) = 0 >> futex(0x807360, FUTEX_WAKE, 1) = 0 >> select(0, NULL, NULL, NULL, {0, 50000}) = 0 (Timeout) >> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >> futex(0x807360, FUTEX_WAKE, 1) = 0 >> futex(0x807360, FUTEX_WAKE, 1) = 0 > >> Justin. > >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by: Splunk Inc. >> Still grepping through log files to find problems? Stop. >> Now Search log events and configuration files using AJAX and a browser. >> Download your FREE copy of Splunk now >> http://get.splunk.com/ >> _______________________________________________ >> Fail2ban-users mailing list >> Fai...@li... >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > -- > .-. > =------------------------------ /v\ ----------------------------= > Keep in touch // \\ (yoh@|www.)onerussian.com > Yaroslav Halchenko /( )\ ICQ#: 60653192 > Linux User ^^-^^ [175555] > > |
From: Justin P. <jp...@lu...> - 2007-11-10 16:01:29
|
http://sourceforge.net/mailarchive/forum.php?thread_name=2E31CE60-239F-4079-B3FB-7B3EF6A0C23F%40lemonbit.nl&forum_name=fail2ban-users Ahh here.. Wonder if this has been sent as a Debian bug report yet.. Justin. On Sat, 10 Nov 2007, Justin Piszcz wrote: > Restart/reboot does not help, I am monitoring 1 logfile, mail.log. It > appears I got unsubscribed from the mailing list or did not receive that > e-mail if it was in this thread? Do we know what causes the bug? Unless > you mean a previous thread from a couple months ago? > > On Sat, 10 Nov 2007, Yaroslav Halchenko wrote: > >> does restart help? >> >> does fresh tarball as Cyril suggested to try in thread >> Fail2Ban high cpu usage >> help? >> >> On Fri, 09 Nov 2007, Justin Piszcz wrote: >> >>> Distro: Debian Testing >> >>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >>> 4294 root 20 0 81012 5264 1624 S 100 0.1 2:23.83 fail2ban-server >> >>> With DEBUG = 4 >> >>> 2007-11-09 19:55:34,369 fail2ban.filter : DEBUG Date 0 is smaller than >>> 1186827946.0 >>> 2007-11-09 19:55:34,369 fail2ban.filter : DEBUG Log rotation detected for >>> /var/log/mail.log >>> 2007-11-09 19:55:34,370 fail2ban.filter : DEBUG Setting file position to >>> 0 for /var/log/mail.log >> >>> Any idea what's going on? >> >>> Stracing the process reveals: >> >>> futex(0x807360, FUTEX_WAKE, 1) = 1 >>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>> select(0, NULL, NULL, NULL, {0, 1000}) = 0 (Timeout) >>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>> select(0, NULL, NULL, NULL, {0, 2000}) = 0 (Timeout) >>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>> select(0, NULL, NULL, NULL, {0, 4000}) = 0 (Timeout) >>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>> select(0, NULL, NULL, NULL, {0, 8000}) = 0 (Timeout) >>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>> select(0, NULL, NULL, NULL, {0, 16000}) = 0 (Timeout) >>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>> select(0, NULL, NULL, NULL, {0, 32000}) = 0 (Timeout) >>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>> select(0, NULL, NULL, NULL, {0, 50000}) = 0 (Timeout) >>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>> futex(0x807360, FUTEX_WAKE, 1) = 0 >> >>> Justin. >> >>> ------------------------------------------------------------------------- >>> This SF.net email is sponsored by: Splunk Inc. >>> Still grepping through log files to find problems? Stop. >>> Now Search log events and configuration files using AJAX and a browser. >>> Download your FREE copy of Splunk now >> http://get.splunk.com/ >>> _______________________________________________ >>> Fail2ban-users mailing list >>> Fai...@li... >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> >> >> -- >> .-. >> =------------------------------ /v\ ----------------------------= >> Keep in touch // \\ (yoh@|www.)onerussian.com >> Yaroslav Halchenko /( )\ ICQ#: 60653192 >> Linux User ^^-^^ [175555] >> >> > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: Yaroslav H. <li...@on...> - 2007-11-11 06:59:42
|
Please give a try to http://itanix.rutgers.edu/rumba/dists/sid/perspect/binary-all/net/fail2ban_0.8.1-3~pre1_all.deb I propagated that new communication Cyril implemented in 0.9 branch. Since it seems that more people hit the same issue with 0.8 version, it might be reasonable to provide that new module within 0.8 as a bug fix ;-) Let me know if it works fine and I will upload it to debian if no side-effects are mentioned On Sat, 10 Nov 2007, Justin Piszcz wrote: > http://sourceforge.net/mailarchive/forum.php?thread_name=2E31CE60-239F-4079-B3FB-7B3EF6A0C23F%40lemonbit.nl&forum_name=fail2ban-users > Ahh here.. Wonder if this has been sent as a Debian bug report yet.. > Justin. > On Sat, 10 Nov 2007, Justin Piszcz wrote: > > Restart/reboot does not help, I am monitoring 1 logfile, mail.log. It > > appears I got unsubscribed from the mailing list or did not receive that > > e-mail if it was in this thread? Do we know what causes the bug? Unless > > you mean a previous thread from a couple months ago? > > On Sat, 10 Nov 2007, Yaroslav Halchenko wrote: > >> does restart help? > >> does fresh tarball as Cyril suggested to try in thread > >> Fail2Ban high cpu usage > >> help? > >> On Fri, 09 Nov 2007, Justin Piszcz wrote: > >>> Distro: Debian Testing > >>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > >>> 4294 root 20 0 81012 5264 1624 S 100 0.1 2:23.83 fail2ban-server > >>> With DEBUG = 4 > >>> 2007-11-09 19:55:34,369 fail2ban.filter : DEBUG Date 0 is smaller than > >>> 1186827946.0 > >>> 2007-11-09 19:55:34,369 fail2ban.filter : DEBUG Log rotation detected for > >>> /var/log/mail.log > >>> 2007-11-09 19:55:34,370 fail2ban.filter : DEBUG Setting file position to > >>> 0 for /var/log/mail.log > >>> Any idea what's going on? > >>> Stracing the process reveals: > >>> futex(0x807360, FUTEX_WAKE, 1) = 1 > >>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>> select(0, NULL, NULL, NULL, {0, 1000}) = 0 (Timeout) > >>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > >>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>> select(0, NULL, NULL, NULL, {0, 2000}) = 0 (Timeout) > >>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > >>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>> select(0, NULL, NULL, NULL, {0, 4000}) = 0 (Timeout) > >>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > >>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>> select(0, NULL, NULL, NULL, {0, 8000}) = 0 (Timeout) > >>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > >>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > >>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>> select(0, NULL, NULL, NULL, {0, 16000}) = 0 (Timeout) > >>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > >>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > >>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>> select(0, NULL, NULL, NULL, {0, 32000}) = 0 (Timeout) > >>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > >>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>> select(0, NULL, NULL, NULL, {0, 50000}) = 0 (Timeout) > >>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > >>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>> Justin. > >>> ------------------------------------------------------------------------- > >>> This SF.net email is sponsored by: Splunk Inc. > >>> Still grepping through log files to find problems? Stop. > >>> Now Search log events and configuration files using AJAX and a browser. > >>> Download your FREE copy of Splunk now >> http://get.splunk.com/ > >>> _______________________________________________ > >>> Fail2ban-users mailing list > >>> Fai...@li... > >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > >> -- > >> .-. > >> =------------------------------ /v\ ----------------------------= > >> Keep in touch // \\ (yoh@|www.)onerussian.com > >> Yaroslav Halchenko /( )\ ICQ#: 60653192 > >> Linux User ^^-^^ [175555] > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by: Splunk Inc. > > Still grepping through log files to find problems? Stop. > > Now Search log events and configuration files using AJAX and a browser. > > Download your FREE copy of Splunk now >> http://get.splunk.com/ > > _______________________________________________ > > Fail2ban-users mailing list > > Fai...@li... > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |
From: Justin P. <jp...@lu...> - 2007-11-11 10:30:51
|
Giving it a try now. Same problem, 100% CPU again. # dpkg -l | grep -i fail2 ii fail2ban 0.8.1-3~pre1 bans IPs that cause multiple authentication 2007-11-11 05:29:45,863 fail2ban.filter : DEBUG Date 0 is smaller than 1186827946.0 2007-11-11 05:29:45,864 fail2ban.filter : DEBUG Log rotation detected for /var/log/mail.log 2007-11-11 05:29:45,864 fail2ban.filter : DEBUG Setting file position to 0 for /var/log/mail.log :( Justin. On Sun, 11 Nov 2007, Yaroslav Halchenko wrote: > Please give a try to > http://itanix.rutgers.edu/rumba/dists/sid/perspect/binary-all/net/fail2ban_0.8.1-3~pre1_all.deb > > I propagated that new communication Cyril implemented in 0.9 branch. > Since it seems that more people hit the same issue with 0.8 version, it > might be reasonable to provide that new module within 0.8 as a bug fix > ;-) > > Let me know if it works fine and I will upload it to debian if no > side-effects are mentioned > > On Sat, 10 Nov 2007, Justin Piszcz wrote: > >> http://sourceforge.net/mailarchive/forum.php?thread_name=2E31CE60-239F-4079-B3FB-7B3EF6A0C23F%40lemonbit.nl&forum_name=fail2ban-users > >> Ahh here.. Wonder if this has been sent as a Debian bug report yet.. > >> Justin. > >> On Sat, 10 Nov 2007, Justin Piszcz wrote: > >>> Restart/reboot does not help, I am monitoring 1 logfile, mail.log. It >>> appears I got unsubscribed from the mailing list or did not receive that >>> e-mail if it was in this thread? Do we know what causes the bug? Unless >>> you mean a previous thread from a couple months ago? > >>> On Sat, 10 Nov 2007, Yaroslav Halchenko wrote: > >>>> does restart help? > >>>> does fresh tarball as Cyril suggested to try in thread >>>> Fail2Ban high cpu usage >>>> help? > >>>> On Fri, 09 Nov 2007, Justin Piszcz wrote: > >>>>> Distro: Debian Testing > >>>>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >>>>> 4294 root 20 0 81012 5264 1624 S 100 0.1 2:23.83 fail2ban-server > >>>>> With DEBUG = 4 > >>>>> 2007-11-09 19:55:34,369 fail2ban.filter : DEBUG Date 0 is smaller than >>>>> 1186827946.0 >>>>> 2007-11-09 19:55:34,369 fail2ban.filter : DEBUG Log rotation detected for >>>>> /var/log/mail.log >>>>> 2007-11-09 19:55:34,370 fail2ban.filter : DEBUG Setting file position to >>>>> 0 for /var/log/mail.log > >>>>> Any idea what's going on? > >>>>> Stracing the process reveals: > >>>>> futex(0x807360, FUTEX_WAKE, 1) = 1 >>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>> select(0, NULL, NULL, NULL, {0, 1000}) = 0 (Timeout) >>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>> select(0, NULL, NULL, NULL, {0, 2000}) = 0 (Timeout) >>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>> select(0, NULL, NULL, NULL, {0, 4000}) = 0 (Timeout) >>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>> select(0, NULL, NULL, NULL, {0, 8000}) = 0 (Timeout) >>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>> select(0, NULL, NULL, NULL, {0, 16000}) = 0 (Timeout) >>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>> select(0, NULL, NULL, NULL, {0, 32000}) = 0 (Timeout) >>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>> select(0, NULL, NULL, NULL, {0, 50000}) = 0 (Timeout) >>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>>>> Justin. > >>>>> ------------------------------------------------------------------------- >>>>> This SF.net email is sponsored by: Splunk Inc. >>>>> Still grepping through log files to find problems? Stop. >>>>> Now Search log events and configuration files using AJAX and a browser. >>>>> Download your FREE copy of Splunk now >> http://get.splunk.com/ >>>>> _______________________________________________ >>>>> Fail2ban-users mailing list >>>>> Fai...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > >>>> -- >>>> .-. >>>> =------------------------------ /v\ ----------------------------= >>>> Keep in touch // \\ (yoh@|www.)onerussian.com >>>> Yaroslav Halchenko /( )\ ICQ#: 60653192 >>>> Linux User ^^-^^ [175555] > > > >>> ------------------------------------------------------------------------- >>> This SF.net email is sponsored by: Splunk Inc. >>> Still grepping through log files to find problems? Stop. >>> Now Search log events and configuration files using AJAX and a browser. >>> Download your FREE copy of Splunk now >> http://get.splunk.com/ >>> _______________________________________________ >>> Fail2ban-users mailing list >>> Fai...@li... >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by: Splunk Inc. >> Still grepping through log files to find problems? Stop. >> Now Search log events and configuration files using AJAX and a browser. >> Download your FREE copy of Splunk now >> http://get.splunk.com/ >> _______________________________________________ >> Fail2ban-users mailing list >> Fai...@li... >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > -- > .-. > =------------------------------ /v\ ----------------------------= > Keep in touch // \\ (yoh@|www.)onerussian.com > Yaroslav Halchenko /( )\ ICQ#: 60653192 > Linux User ^^-^^ [175555] > > |
From: Justin P. <jp...@lu...> - 2007-11-11 10:39:00
|
Hm I may have found what causes the bug, checking into it. Justin. On Sun, 11 Nov 2007, Justin Piszcz wrote: > Giving it a try now. > > Same problem, 100% CPU again. > # dpkg -l | grep -i fail2 > ii fail2ban 0.8.1-3~pre1 bans IPs > that cause multiple authentication > > 2007-11-11 05:29:45,863 fail2ban.filter : DEBUG Date 0 is smaller than > 1186827946.0 > 2007-11-11 05:29:45,864 fail2ban.filter : DEBUG Log rotation detected for > /var/log/mail.log > 2007-11-11 05:29:45,864 fail2ban.filter : DEBUG Setting file position to 0 > for /var/log/mail.log > > :( > > Justin. > > On Sun, 11 Nov 2007, Yaroslav Halchenko wrote: > >> Please give a try to >> http://itanix.rutgers.edu/rumba/dists/sid/perspect/binary-all/net/fail2ban_0.8.1-3~pre1_all.deb >> >> I propagated that new communication Cyril implemented in 0.9 branch. >> Since it seems that more people hit the same issue with 0.8 version, it >> might be reasonable to provide that new module within 0.8 as a bug fix >> ;-) >> >> Let me know if it works fine and I will upload it to debian if no >> side-effects are mentioned >> >> On Sat, 10 Nov 2007, Justin Piszcz wrote: >> >>> http://sourceforge.net/mailarchive/forum.php?thread_name=2E31CE60-239F-4079-B3FB-7B3EF6A0C23F%40lemonbit.nl&forum_name=fail2ban-users >> >>> Ahh here.. Wonder if this has been sent as a Debian bug report yet.. >> >>> Justin. >> >>> On Sat, 10 Nov 2007, Justin Piszcz wrote: >> >>>> Restart/reboot does not help, I am monitoring 1 logfile, mail.log. It >>>> appears I got unsubscribed from the mailing list or did not receive that >>>> e-mail if it was in this thread? Do we know what causes the bug? Unless >>>> you mean a previous thread from a couple months ago? >> >>>> On Sat, 10 Nov 2007, Yaroslav Halchenko wrote: >> >>>>> does restart help? >> >>>>> does fresh tarball as Cyril suggested to try in thread >>>>> Fail2Ban high cpu usage >>>>> help? >> >>>>> On Fri, 09 Nov 2007, Justin Piszcz wrote: >> >>>>>> Distro: Debian Testing >> >>>>>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >>>>>> 4294 root 20 0 81012 5264 1624 S 100 0.1 2:23.83 >>>>>> fail2ban-server >> >>>>>> With DEBUG = 4 >> >>>>>> 2007-11-09 19:55:34,369 fail2ban.filter : DEBUG Date 0 is smaller than >>>>>> 1186827946.0 >>>>>> 2007-11-09 19:55:34,369 fail2ban.filter : DEBUG Log rotation detected >>>>>> for >>>>>> /var/log/mail.log >>>>>> 2007-11-09 19:55:34,370 fail2ban.filter : DEBUG Setting file position >>>>>> to >>>>>> 0 for /var/log/mail.log >> >>>>>> Any idea what's going on? >> >>>>>> Stracing the process reveals: >> >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 1 >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>> select(0, NULL, NULL, NULL, {0, 1000}) = 0 (Timeout) >>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>> select(0, NULL, NULL, NULL, {0, 2000}) = 0 (Timeout) >>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>> select(0, NULL, NULL, NULL, {0, 4000}) = 0 (Timeout) >>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>> select(0, NULL, NULL, NULL, {0, 8000}) = 0 (Timeout) >>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>> select(0, NULL, NULL, NULL, {0, 16000}) = 0 (Timeout) >>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>> select(0, NULL, NULL, NULL, {0, 32000}) = 0 (Timeout) >>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>> select(0, NULL, NULL, NULL, {0, 50000}) = 0 (Timeout) >>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >> >>>>>> Justin. >> >>>>>> >>>>>> ------------------------------------------------------------------------- >>>>>> This SF.net email is sponsored by: Splunk Inc. >>>>>> Still grepping through log files to find problems? Stop. >>>>>> Now Search log events and configuration files using AJAX and a browser. >>>>>> Download your FREE copy of Splunk now >> http://get.splunk.com/ >>>>>> _______________________________________________ >>>>>> Fail2ban-users mailing list >>>>>> Fai...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> >> >>>>> -- >>>>> .-. >>>>> =------------------------------ /v\ ----------------------------= >>>>> Keep in touch // \\ (yoh@|www.)onerussian.com >>>>> Yaroslav Halchenko /( )\ ICQ#: 60653192 >>>>> Linux User ^^-^^ [175555] >> >> >> >>>> ------------------------------------------------------------------------- >>>> This SF.net email is sponsored by: Splunk Inc. >>>> Still grepping through log files to find problems? Stop. >>>> Now Search log events and configuration files using AJAX and a browser. >>>> Download your FREE copy of Splunk now >> http://get.splunk.com/ >>>> _______________________________________________ >>>> Fail2ban-users mailing list >>>> Fai...@li... >>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> >> >>> ------------------------------------------------------------------------- >>> This SF.net email is sponsored by: Splunk Inc. >>> Still grepping through log files to find problems? Stop. >>> Now Search log events and configuration files using AJAX and a browser. >>> Download your FREE copy of Splunk now >> http://get.splunk.com/ >>> _______________________________________________ >>> Fail2ban-users mailing list >>> Fai...@li... >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> >> >> -- >> .-. >> =------------------------------ /v\ ----------------------------= >> Keep in touch // \\ (yoh@|www.)onerussian.com >> Yaroslav Halchenko /( )\ ICQ#: 60653192 >> Linux User ^^-^^ [175555] >> >> > |
From: Justin P. <jp...@lu...> - 2007-11-11 11:27:47
|
On Sun, 11 Nov 2007, Justin Piszcz wrote: > Hm I may have found what causes the bug, checking into it. > > Justin. > > On Sun, 11 Nov 2007, Justin Piszcz wrote: > >> Giving it a try now. >> >> Same problem, 100% CPU again. >> # dpkg -l | grep -i fail2 >> ii fail2ban 0.8.1-3~pre1 bans IPs >> that cause multiple authentication >> >> 2007-11-11 05:29:45,863 fail2ban.filter : DEBUG Date 0 is smaller than >> 1186827946.0 >> 2007-11-11 05:29:45,864 fail2ban.filter : DEBUG Log rotation detected for >> /var/log/mail.log >> 2007-11-11 05:29:45,864 fail2ban.filter : DEBUG Setting file position to 0 >> for /var/log/mail.log >> >> :( >> >> Justin. >> >From previous e-mail: > 2007-11-11 05:29:45,863 fail2ban.filter : DEBUG Date 0 is smaller than > 1186827946.0 $ stat mail.log File: `mail.log' Size: 51318803 Blocks: 100392 IO Block: 4096 regular file Device: 902h/2306d Inode: 201341691 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 4/ adm) Access: 2007-08-11 06:25:16.426138533 -0400 Modify: 2007-11-11 05:36:15.925705202 -0500 Change: 2007-11-11 05:36:15.925705202 -0500 $ e2d 1186827946 unix time: 1186827946 ; std time: 08/11/2007 06:25:46 The access time appears to be too old? $ touch mail.log File: `mail.log' Size: 51365646 Blocks: 100368 IO Block: 4096 regular file Device: 902h/2306d Inode: 201341691 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 4/ adm) Access: 2007-11-11 06:23:42.019018754 -0500 Modify: 2007-11-11 06:23:42.019018754 -0500 Change: 2007-11-11 06:23:42.019018754 -0500 (.. still no luck.. -- 100% CPU) # mv mail.log mail.log.old # /etc/init.d/sysklogd restart # /etc/init.d/fail2ban restart Restarting authentication failure monitor: fail2ban. PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 29274 root 20 0 84488 4488 1172 S 1 0.1 0:00.02 fail2ban-server So it appears if the file is either too big or there is bad data in the logfile you are parsing, fail2ban does not work, ok.. I have kept the old mail.log file if the fail2ban author requests/asks if we can find out exactly what is causing the bug, but for now this workaround seems to work. Justin. |
From: Justin P. <jp...@lu...> - 2007-11-11 11:30:11
|
On Sun, 11 Nov 2007, Justin Piszcz wrote: > > On Sun, 11 Nov 2007, Justin Piszcz wrote: > >> Hm I may have found what causes the bug, checking into it. >> >> Justin. >> >> On Sun, 11 Nov 2007, Justin Piszcz wrote: >> >>> Giving it a try now. >>> >>> Same problem, 100% CPU again. >>> # dpkg -l | grep -i fail2 >>> ii fail2ban 0.8.1-3~pre1 bans IPs >>> that cause multiple authentication >>> >>> 2007-11-11 05:29:45,863 fail2ban.filter : DEBUG Date 0 is smaller than >>> 1186827946.0 >>> 2007-11-11 05:29:45,864 fail2ban.filter : DEBUG Log rotation detected for >>> /var/log/mail.log >>> 2007-11-11 05:29:45,864 fail2ban.filter : DEBUG Setting file position to 0 >>> for /var/log/mail.log >>> >>> :( >>> >>> Justin. >>> > >> From previous e-mail: > >> 2007-11-11 05:29:45,863 fail2ban.filter : DEBUG Date 0 is smaller than >> 1186827946.0 > > $ stat mail.log > File: `mail.log' > Size: 51318803 Blocks: 100392 IO Block: 4096 regular file > Device: 902h/2306d Inode: 201341691 Links: 1 > Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 4/ adm) > Access: 2007-08-11 06:25:16.426138533 -0400 > Modify: 2007-11-11 05:36:15.925705202 -0500 > Change: 2007-11-11 05:36:15.925705202 -0500 > > $ e2d 1186827946 > unix time: 1186827946 ; std time: 08/11/2007 06:25:46 > > The access time appears to be too old? > > $ touch mail.log > File: `mail.log' > Size: 51365646 Blocks: 100368 IO Block: 4096 regular file > Device: 902h/2306d Inode: 201341691 Links: 1 > Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 4/ adm) > Access: 2007-11-11 06:23:42.019018754 -0500 > Modify: 2007-11-11 06:23:42.019018754 -0500 > Change: 2007-11-11 06:23:42.019018754 -0500 > > (.. still no luck.. -- 100% CPU) > > # mv mail.log mail.log.old > # /etc/init.d/sysklogd restart > # /etc/init.d/fail2ban restart > Restarting authentication failure monitor: fail2ban. > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > 29274 root 20 0 84488 4488 1172 S 1 0.1 0:00.02 fail2ban-server > > So it appears if the file is either too big or there is bad data in the logfile > you are parsing, fail2ban does not work, ok.. I have kept the old mail.log > file if the fail2ban author requests/asks if we can find out exactly what is > causing the bug, but for now this workaround seems to work. > > Justin. BTW: I used 0.8.1-2 since the 0.8.1-3 version still had the same problem. $ dpkg -l | grep -i fail2ban ii fail2ban 0.8.1-2 bans IPs that cause multiple authentication |
From: Yaroslav H. <li...@on...> - 2007-11-11 15:58:03
|
> $ e2d 1186827946 unix time: 1186827946 ; std time: 08/11/2007 06:25:46 > The access time appears to be too old? probably it is just that partition is mounted with noatime option > So it appears if the file is either too big or there is bad data in the logfile > you are parsing, fail2ban does not work, ok.. I have kept the old mail.log > file if the fail2ban author requests/asks if we can find out exactly what is > causing the bug, but for now this workaround seems to work. size shouldn't matter, it has something to do with some unsynchronized datastamps in log file and system time... if you could provide the file as well as your configuration for fail2ban I could try to see if I can reproduce the issue > Justin. -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |
From: Cyril J. <cyr...@fa...> - 2007-11-13 23:41:19
|
> 100% CPU utilization with the mail.log attached. > Mmhhh... I can't reproduce this here :/ fail2ban uses 100% CPU during a few seconds but this goes down to 0 afterwards. Could this be specific to the Debian package? I don't think so but who knows... I should receive my new Thinkpad T61 next week. I have already downloaded a Debian netinst CD :) I have not used a binary distribution on my private computers for many years (I'm a Gentoo user). So I will be able to test fail2ban Debian package directly :) > The date alone causes it to go into a bad loop, you're right, where in > the file, not sure but its attached you can check :) > > Aug 22 02:03:04 p34 > Aug 22 02:03:05 p34 > Aug 22 02:03:49 p34 > Aug 22 02:03:57 p34 > Aug 22 02:04:33 p34 > Aug 22 02:04:33 p34 > Aug 22 02:04:33 p34 > Sorry Justin, I rejected your previous e-mail. Attachment was a bit too big for the list ;) Cheers, Cyril |
From: Justin P. <jp...@lu...> - 2007-11-14 01:16:32
|
Got it, running Debian Lenny (testing here).. On Wed, 14 Nov 2007, Cyril Jaquier wrote: >> 100% CPU utilization with the mail.log attached. >> > > Mmhhh... I can't reproduce this here :/ fail2ban uses 100% CPU during a > few seconds but this goes down to 0 afterwards. Could this be specific > to the Debian package? I don't think so but who knows... > > I should receive my new Thinkpad T61 next week. I have already > downloaded a Debian netinst CD :) I have not used a binary distribution > on my private computers for many years (I'm a Gentoo user). So I will be > able to test fail2ban Debian package directly :) > >> The date alone causes it to go into a bad loop, you're right, where in >> the file, not sure but its attached you can check :) >> >> Aug 22 02:03:04 p34 >> Aug 22 02:03:05 p34 >> Aug 22 02:03:49 p34 >> Aug 22 02:03:57 p34 >> Aug 22 02:04:33 p34 >> Aug 22 02:04:33 p34 >> Aug 22 02:04:33 p34 >> > > Sorry Justin, I rejected your previous e-mail. Attachment was a bit too > big for the list ;) > > Cheers, > > Cyril > |
From: Yaroslav H. <li...@on...> - 2007-11-14 02:22:44
|
Most prominent Debian specific configuration is default backend -- pooling. I should check - may be gamin started to work properly on debian systems ;-) On Wed, 14 Nov 2007, Cyril Jaquier wrote: > I should receive my new Thinkpad T61 next week. I have already congrats! My X61 is scheduled to be shipped only Dec 01... heh heh > downloaded a Debian netinst CD :) I have not used a binary distribution > on my private computers for many years (I'm a Gentoo user). So I will be > able to test fail2ban Debian package directly :) you could install it in chroot... there might be a version of debootstrap in the distribution you are under at the moment -- it would help you to install debian's chroot -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |
From: Justin P. <jp...@lu...> - 2007-11-14 09:06:33
|
Using Polling, yup. Justin. On Tue, 13 Nov 2007, Yaroslav Halchenko wrote: > Most prominent Debian specific configuration is default backend -- > pooling. I should check - may be gamin started to work properly on > debian systems ;-) > > On Wed, 14 Nov 2007, Cyril Jaquier wrote: >> I should receive my new Thinkpad T61 next week. I have already > congrats! My X61 is scheduled to be shipped only Dec 01... heh heh > >> downloaded a Debian netinst CD :) I have not used a binary distribution >> on my private computers for many years (I'm a Gentoo user). So I will be >> able to test fail2ban Debian package directly :) > you could install it in chroot... there might be a version of > debootstrap in the distribution you are under at the moment -- it would > help you to install debian's chroot > > -- > .-. > =------------------------------ /v\ ----------------------------= > Keep in touch // \\ (yoh@|www.)onerussian.com > Yaroslav Halchenko /( )\ ICQ#: 60653192 > Linux User ^^-^^ [175555] > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: Yaroslav H. <li...@on...> - 2007-11-11 15:17:19
|
do... blind me... I guess you are using sendmail? could you have a look at the thread "Log Rotation Detection and High CPU Overhead" ? On Sun, 11 Nov 2007, Justin Piszcz wrote: > Hm I may have found what causes the bug, checking into it. > Justin. > On Sun, 11 Nov 2007, Justin Piszcz wrote: > > Giving it a try now. > > Same problem, 100% CPU again. > > # dpkg -l | grep -i fail2 > > ii fail2ban 0.8.1-3~pre1 bans IPs > > that cause multiple authentication > > 2007-11-11 05:29:45,863 fail2ban.filter : DEBUG Date 0 is smaller than > > 1186827946.0 > > 2007-11-11 05:29:45,864 fail2ban.filter : DEBUG Log rotation detected for > > /var/log/mail.log > > 2007-11-11 05:29:45,864 fail2ban.filter : DEBUG Setting file position to 0 > > for /var/log/mail.log > > :( > > Justin. > > On Sun, 11 Nov 2007, Yaroslav Halchenko wrote: > >> Please give a try to > >> http://itanix.rutgers.edu/rumba/dists/sid/perspect/binary-all/net/fail2ban_0.8.1-3~pre1_all.deb > >> I propagated that new communication Cyril implemented in 0.9 branch. > >> Since it seems that more people hit the same issue with 0.8 version, it > >> might be reasonable to provide that new module within 0.8 as a bug fix > >> ;-) > >> Let me know if it works fine and I will upload it to debian if no > >> side-effects are mentioned > >> On Sat, 10 Nov 2007, Justin Piszcz wrote: > >>> http://sourceforge.net/mailarchive/forum.php?thread_name=2E31CE60-239F-4079-B3FB-7B3EF6A0C23F%40lemonbit.nl&forum_name=fail2ban-users > >>> Ahh here.. Wonder if this has been sent as a Debian bug report yet.. > >>> Justin. > >>> On Sat, 10 Nov 2007, Justin Piszcz wrote: > >>>> Restart/reboot does not help, I am monitoring 1 logfile, mail.log. It > >>>> appears I got unsubscribed from the mailing list or did not receive that > >>>> e-mail if it was in this thread? Do we know what causes the bug? Unless > >>>> you mean a previous thread from a couple months ago? > >>>> On Sat, 10 Nov 2007, Yaroslav Halchenko wrote: > >>>>> does restart help? > >>>>> does fresh tarball as Cyril suggested to try in thread > >>>>> Fail2Ban high cpu usage > >>>>> help? > >>>>> On Fri, 09 Nov 2007, Justin Piszcz wrote: > >>>>>> Distro: Debian Testing > >>>>>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > >>>>>> 4294 root 20 0 81012 5264 1624 S 100 0.1 2:23.83 > >>>>>> fail2ban-server > >>>>>> With DEBUG = 4 > >>>>>> 2007-11-09 19:55:34,369 fail2ban.filter : DEBUG Date 0 is smaller than > >>>>>> 1186827946.0 > >>>>>> 2007-11-09 19:55:34,369 fail2ban.filter : DEBUG Log rotation detected > >>>>>> for > >>>>>> /var/log/mail.log > >>>>>> 2007-11-09 19:55:34,370 fail2ban.filter : DEBUG Setting file position > >>>>>> to > >>>>>> 0 for /var/log/mail.log > >>>>>> Any idea what's going on? > >>>>>> Stracing the process reveals: > >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 1 > >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>>>>> select(0, NULL, NULL, NULL, {0, 1000}) = 0 (Timeout) > >>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>>>>> select(0, NULL, NULL, NULL, {0, 2000}) = 0 (Timeout) > >>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>>>>> select(0, NULL, NULL, NULL, {0, 4000}) = 0 (Timeout) > >>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>>>>> select(0, NULL, NULL, NULL, {0, 8000}) = 0 (Timeout) > >>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>>>>> select(0, NULL, NULL, NULL, {0, 16000}) = 0 (Timeout) > >>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>>>>> select(0, NULL, NULL, NULL, {0, 32000}) = 0 (Timeout) > >>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>>>>> select(0, NULL, NULL, NULL, {0, 50000}) = 0 (Timeout) > >>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 > >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>>>>> Justin. > >>>>>> ------------------------------------------------------------------------- > >>>>>> This SF.net email is sponsored by: Splunk Inc. > >>>>>> Still grepping through log files to find problems? Stop. > >>>>>> Now Search log events and configuration files using AJAX and a browser. > >>>>>> Download your FREE copy of Splunk now >> http://get.splunk.com/ > >>>>>> _______________________________________________ > >>>>>> Fail2ban-users mailing list > >>>>>> Fai...@li... > >>>>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > >>>>> -- > >>>>> .-. > >>>>> =------------------------------ /v\ ----------------------------= > >>>>> Keep in touch // \\ (yoh@|www.)onerussian.com > >>>>> Yaroslav Halchenko /( )\ ICQ#: 60653192 > >>>>> Linux User ^^-^^ [175555] > >>>> ------------------------------------------------------------------------- > >>>> This SF.net email is sponsored by: Splunk Inc. > >>>> Still grepping through log files to find problems? Stop. > >>>> Now Search log events and configuration files using AJAX and a browser. > >>>> Download your FREE copy of Splunk now >> http://get.splunk.com/ > >>>> _______________________________________________ > >>>> Fail2ban-users mailing list > >>>> Fai...@li... > >>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > >>> ------------------------------------------------------------------------- > >>> This SF.net email is sponsored by: Splunk Inc. > >>> Still grepping through log files to find problems? Stop. > >>> Now Search log events and configuration files using AJAX and a browser. > >>> Download your FREE copy of Splunk now >> http://get.splunk.com/ > >>> _______________________________________________ > >>> Fail2ban-users mailing list > >>> Fai...@li... > >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > >> -- > >> .-. > >> =------------------------------ /v\ ----------------------------= > >> Keep in touch // \\ (yoh@|www.)onerussian.com > >> Yaroslav Halchenko /( )\ ICQ#: 60653192 > >> Linux User ^^-^^ [175555] > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |
From: Justin P. <jp...@lu...> - 2007-11-11 15:20:13
|
I am using postfix but can check that thread, thanks. On Sun, 11 Nov 2007, Yaroslav Halchenko wrote: > do... blind me... I guess you are using sendmail? > > could you have a look at the thread > "Log Rotation Detection and High CPU Overhead" > ? > > On Sun, 11 Nov 2007, Justin Piszcz wrote: > >> Hm I may have found what causes the bug, checking into it. > >> Justin. > >> On Sun, 11 Nov 2007, Justin Piszcz wrote: > >>> Giving it a try now. > >>> Same problem, 100% CPU again. >>> # dpkg -l | grep -i fail2 >>> ii fail2ban 0.8.1-3~pre1 bans IPs >>> that cause multiple authentication > >>> 2007-11-11 05:29:45,863 fail2ban.filter : DEBUG Date 0 is smaller than >>> 1186827946.0 >>> 2007-11-11 05:29:45,864 fail2ban.filter : DEBUG Log rotation detected for >>> /var/log/mail.log >>> 2007-11-11 05:29:45,864 fail2ban.filter : DEBUG Setting file position to 0 >>> for /var/log/mail.log > >>> :( > >>> Justin. > >>> On Sun, 11 Nov 2007, Yaroslav Halchenko wrote: > >>>> Please give a try to >>>> http://itanix.rutgers.edu/rumba/dists/sid/perspect/binary-all/net/fail2ban_0.8.1-3~pre1_all.deb > >>>> I propagated that new communication Cyril implemented in 0.9 branch. >>>> Since it seems that more people hit the same issue with 0.8 version, it >>>> might be reasonable to provide that new module within 0.8 as a bug fix >>>> ;-) > >>>> Let me know if it works fine and I will upload it to debian if no >>>> side-effects are mentioned > >>>> On Sat, 10 Nov 2007, Justin Piszcz wrote: > >>>>> http://sourceforge.net/mailarchive/forum.php?thread_name=2E31CE60-239F-4079-B3FB-7B3EF6A0C23F%40lemonbit.nl&forum_name=fail2ban-users > >>>>> Ahh here.. Wonder if this has been sent as a Debian bug report yet.. > >>>>> Justin. > >>>>> On Sat, 10 Nov 2007, Justin Piszcz wrote: > >>>>>> Restart/reboot does not help, I am monitoring 1 logfile, mail.log. It >>>>>> appears I got unsubscribed from the mailing list or did not receive that >>>>>> e-mail if it was in this thread? Do we know what causes the bug? Unless >>>>>> you mean a previous thread from a couple months ago? > >>>>>> On Sat, 10 Nov 2007, Yaroslav Halchenko wrote: > >>>>>>> does restart help? > >>>>>>> does fresh tarball as Cyril suggested to try in thread >>>>>>> Fail2Ban high cpu usage >>>>>>> help? > >>>>>>> On Fri, 09 Nov 2007, Justin Piszcz wrote: > >>>>>>>> Distro: Debian Testing > >>>>>>>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >>>>>>>> 4294 root 20 0 81012 5264 1624 S 100 0.1 2:23.83 >>>>>>>> fail2ban-server > >>>>>>>> With DEBUG = 4 > >>>>>>>> 2007-11-09 19:55:34,369 fail2ban.filter : DEBUG Date 0 is smaller than >>>>>>>> 1186827946.0 >>>>>>>> 2007-11-09 19:55:34,369 fail2ban.filter : DEBUG Log rotation detected >>>>>>>> for >>>>>>>> /var/log/mail.log >>>>>>>> 2007-11-09 19:55:34,370 fail2ban.filter : DEBUG Setting file position >>>>>>>> to >>>>>>>> 0 for /var/log/mail.log > >>>>>>>> Any idea what's going on? > >>>>>>>> Stracing the process reveals: > >>>>>>>> futex(0x807360, FUTEX_WAKE, 1) = 1 >>>>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>>>> select(0, NULL, NULL, NULL, {0, 1000}) = 0 (Timeout) >>>>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>>>> select(0, NULL, NULL, NULL, {0, 2000}) = 0 (Timeout) >>>>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>>>> select(0, NULL, NULL, NULL, {0, 4000}) = 0 (Timeout) >>>>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>>>> select(0, NULL, NULL, NULL, {0, 8000}) = 0 (Timeout) >>>>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>>>> select(0, NULL, NULL, NULL, {0, 16000}) = 0 (Timeout) >>>>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>>>> select(0, NULL, NULL, NULL, {0, 32000}) = 0 (Timeout) >>>>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>>>> select(0, NULL, NULL, NULL, {0, 50000}) = 0 (Timeout) >>>>>>>> futex(0x807360, FUTEX_WAIT, 0, NULL) = 0 >>>>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 >>>>>>>> futex(0x807360, FUTEX_WAKE, 1) = 0 > >>>>>>>> Justin. > > >>>>>>>> ------------------------------------------------------------------------- >>>>>>>> This SF.net email is sponsored by: Splunk Inc. >>>>>>>> Still grepping through log files to find problems? Stop. >>>>>>>> Now Search log events and configuration files using AJAX and a browser. >>>>>>>> Download your FREE copy of Splunk now >> http://get.splunk.com/ >>>>>>>> _______________________________________________ >>>>>>>> Fail2ban-users mailing list >>>>>>>> Fai...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > >>>>>>> -- >>>>>>> .-. >>>>>>> =------------------------------ /v\ ----------------------------= >>>>>>> Keep in touch // \\ (yoh@|www.)onerussian.com >>>>>>> Yaroslav Halchenko /( )\ ICQ#: 60653192 >>>>>>> Linux User ^^-^^ [175555] > > > >>>>>> ------------------------------------------------------------------------- >>>>>> This SF.net email is sponsored by: Splunk Inc. >>>>>> Still grepping through log files to find problems? Stop. >>>>>> Now Search log events and configuration files using AJAX and a browser. >>>>>> Download your FREE copy of Splunk now >> http://get.splunk.com/ >>>>>> _______________________________________________ >>>>>> Fail2ban-users mailing list >>>>>> Fai...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > >>>>> ------------------------------------------------------------------------- >>>>> This SF.net email is sponsored by: Splunk Inc. >>>>> Still grepping through log files to find problems? Stop. >>>>> Now Search log events and configuration files using AJAX and a browser. >>>>> Download your FREE copy of Splunk now >> http://get.splunk.com/ >>>>> _______________________________________________ >>>>> Fail2ban-users mailing list >>>>> Fai...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > >>>> -- >>>> .-. >>>> =------------------------------ /v\ ----------------------------= >>>> Keep in touch // \\ (yoh@|www.)onerussian.com >>>> Yaroslav Halchenko /( )\ ICQ#: 60653192 >>>> Linux User ^^-^^ [175555] > > > > >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by: Splunk Inc. >> Still grepping through log files to find problems? Stop. >> Now Search log events and configuration files using AJAX and a browser. >> Download your FREE copy of Splunk now >> http://get.splunk.com/ >> _______________________________________________ >> Fail2ban-users mailing list >> Fai...@li... >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > -- > .-. > =------------------------------ /v\ ----------------------------= > Keep in touch // \\ (yoh@|www.)onerussian.com > Yaroslav Halchenko /( )\ ICQ#: 60653192 > Linux User ^^-^^ [175555] > > |
From: Cyril J. <cyr...@fa...> - 2007-11-12 22:23:42
|
Hi all, Sorry for the late reply guys :( I'm still alive ;) I also think that some weird lines in your mail.log cause the log rotation "algorithm" to fail. fail2ban reads the file from the start, finds some strange lines, thinks it is log rotation, sets the file pointer to 0, reads the file from the start again, etc. I'm working on 0.9 and I have removed this timestamp check for log rotation. I guess that comparing the file size would be enough. Or even better, computing a hash of the first line of the file or maybe just comparing the first line. Moreover, reading the whole file at startup is probably not necessary. In 0.9, fail2ban will only read new lines. Simpler, better, faster ;) Maybe I should implement this in 0.8 too? Yaroslav, may I have your opinion? Regards, Cyril |
From: Yaroslav H. <li...@on...> - 2007-11-13 17:20:06
|
> Maybe I should implement this in 0.8 too? Yaroslav, may I have your opinion? if that would result in fixing some bug -- then you have my vote! ;-) -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |
From: Justin P. <jp...@lu...> - 2007-11-12 22:29:04
|
Perhaps it is when I set my clock back 1 hour due to daylight savings time? (or ntp rather) On Mon, 12 Nov 2007, Cyril Jaquier wrote: > Hi all, > > Sorry for the late reply guys :( I'm still alive ;) > > I also think that some weird lines in your mail.log cause the log > rotation "algorithm" to fail. > > fail2ban reads the file from the start, finds some strange lines, thinks > it is log rotation, sets the file pointer to 0, reads the file from the > start again, etc. > > I'm working on 0.9 and I have removed this timestamp check for log > rotation. I guess that comparing the file size would be enough. Or even > better, computing a hash of the first line of the file or maybe just > comparing the first line. > > Moreover, reading the whole file at startup is probably not necessary. > In 0.9, fail2ban will only read new lines. Simpler, better, faster ;) > > Maybe I should implement this in 0.8 too? Yaroslav, may I have your opinion? > > Regards, > > Cyril > |
From: Cyril J. <cyr...@fa...> - 2007-11-12 22:59:22
|
> Perhaps it is when I set my clock back 1 hour due to daylight savings > time? (or ntp rather) > Mmmhhh... I guess you find it ;) Could you look into your mail.log.old for a date that is smaller than a previous one? +1 for removing the timestamp comparison in log rotation detection ;) Regards, Cyril |